The new 2021 report and study, the Open Source Security and Risk Analysis from Synopsys examined audit data from 1,500 + commercial codebases to examine how organizations are using open source code. The past year with the COVID pandemic saw a significant increase from last year’s report, with the number of open source vulnerabilities in codebases increasing from 75% to 84%. Part of the reason that the vulnerabilities may have increased is the need from organizations to get their applications to production more quickly to meet the demands of employees working from home. Rushing applications to market meant less rigorous testing and the push out to production of applications that had vulnerabilities in them. K2 wrote about last years report as well in a blog post, showing also that 82% of components in codebases were more than 4 years out of date.
Organizations may be less likely to fix all the vulnerabilities in the code when they get too many reports of vulnerabilities from the their SAST and DAST testing tools, reports that lack verification or proof of a vulnerability. This is one of the challenges in application security that we wrote about in a recent blog post. When existing tools produce too many false positives, it’s important to enhance the results of security testing to get validation of the discovered vulnerabilities.
For organizations that want an easy way to confirm vulnerabilities and get proof of the exploitability of the vulnerability, they can now do this with no changes to the testing methodology or testing tools. By adding the K2 Security Platform agent to the application server undergoing a DAST or penetration test, K2 can provide enhanced IAST-like results by giving the visibility to the tested applications that DAST testing tools are missing. By pairing K2 with an existing DAST or penetration testing tool, K2 can corroborate the DAST tool’s results, while at the same time providing additional details, including the filename containing the vulnerability, the line number within the file that contains the vulnerable code, and the proof and validation of the exploitability of the vulnerability. In addition K2 can also find and report on additional vulnerabilities with the added visibility into the application that the DAST tool may miss.
By adding an agent on the application server, organizations can get enhanced IAST results from their existing DAST tools, without having to learn and implement an IAST tool. K2 Cyber Security is a great addition for adding visibility into the threats discovered by penetration and security testing tools in pre-production and can also find additional vulnerabilities during testing that testing tools may have missed. K2 can pinpoint the exact location of the discovered vulnerability in the code. When a vulnerability is discovered (for example, SQL Injection, XSS or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, details that testing tools typically are unable to provide, enabling developers to start the remediation process quickly.
Get more out of your application security testing and change how you protect your applications, and check out K2’s application workload security solution and get IAST results from your DAST testing today.
Take a Page from NIST to Improve Application Security
There are a number of simple measures an organization can take to improve their web application security stance. First starts at the very beginning of application development, and that’s making sure developers take security into consideration when developing and coding applications. Second, is making sure that software and operating systems are kept up to date, with the latest updates and patches to ensure known vulnerabilities that have patches are not exploited.
In addition to these two fundamental starts to application security, there’s still a need to ensure security for web applications running in production, especially against threats either missed or not typically secured by network or system level security. The OWASP Top 10 Web Application Security Risks are a great example of risks that aren’t typically protected with network or system level security.
It is important to remember to have a security framework that offers a defense-in-depth architecture. Maybe it’s time to take a hint from the recent finalization of the National Institute of Standards and Technology (NIST)’s SP800-53 that was just released on September 23, 2020. The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST) as added layers of security in the framework.
Change how you protect your applications, and check out K2’s web application and application workload security solutions and evaluate K2’s effectiveness at detecting vulnerabilities and protecting your organization from attacks.